feat: migrate from Cedar to SpiceDB authorization system

This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.

Key changes:

- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization

This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.

Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.

3 files changed, 0 insertions, 88 deletions

diff --git a/tests/support/common.rs b/tests/support/common.rs
deleted file mode 100644
index 8db5c52b..00000000
--- a/tests/support/common.rs
+++ /dev/null
@@ -1,12 +0,0 @@
-use std::sync::Once;
-
-static INIT: Once = Once::new();
-
-pub fn setup() {
-    INIT.call_once(|| {
-        tracing_subscriber::fmt()
-            .with_test_writer()
-            .with_max_level(tracing::Level::WARN)
-            .init();
-    });
-}
diff --git a/tests/support/factory_bot.rs b/tests/support/factory_bot.rs
deleted file mode 100644
index ba0d9c38..00000000
--- a/tests/support/factory_bot.rs
+++ /dev/null
@@ -1,74 +0,0 @@
-use envoy_types::ext_authz::v3::pb::CheckRequest;
-use envoy_types::pb::envoy::service::auth::v3::AttributeContext;
-use envoy_types::pb::envoy::service::auth::v3::attribute_context::{HttpRequest, Request};
-use std::collections::HashMap;
-use std::net::SocketAddr;
-use std::str::FromStr;
-use tonic::transport::Channel;
-
-#[allow(dead_code)]
-pub fn build<T: Default>() -> T {
-    please::build()
-}
-
-pub fn build_with<T, F>(initializer: F) -> T
-where
-    T: Default,
-    F: std::ops::FnOnce(&mut T),
-{
-    please::build_with(initializer)
-}
-
-pub fn build_request(f: impl std::ops::FnOnce(&mut HttpRequest)) -> CheckRequest {
-    build_with(|item: &mut CheckRequest| {
-        item.attributes = Some(please::build_with(|item: &mut AttributeContext| {
-            item.request = Some(please::build_with(|item: &mut Request| {
-                item.http = Some(please::build_with(|item: &mut HttpRequest| f(item)));
-            }));
-        }));
-    })
-}
-
-pub fn build_headers(headers: Vec<(String, String)>) -> HashMap<String, String> {
-    build_with(|item: &mut HashMap<String, String>| {
-        for (key, value) in headers {
-            item.insert(key, value);
-        }
-    })
-}
-
-pub fn build_cedar_authorizer(entities: cedar_policy::Entities) -> authzd::CedarAuthorizer {
-    let realpath = std::fs::canonicalize("./etc/authzd").unwrap();
-    let path = realpath.as_path();
-    authzd::CedarAuthorizer::new_from(path, entities)
-}
-
-pub async fn build_channel(addr: SocketAddr) -> Channel {
-    Channel::from_shared(format!("http://{}", addr))
-        .expect("Failed to create channel")
-        .connect()
-        .await
-        .expect("Failed to connect to server")
-}
-
-pub async fn build_rpc_client<T, F>(addr: SocketAddr, f: F) -> T
-where
-    F: FnOnce(Channel) -> T,
-{
-    f(build_channel(addr).await)
-}
-
-pub fn build_user(
-    id: &str,
-    attrs: std::collections::HashMap<String, cedar_policy::RestrictedExpression>,
-) -> cedar_policy::Entity {
-    cedar_policy::Entity::new(
-        cedar_policy::EntityUid::from_type_name_and_id(
-            cedar_policy::EntityTypeName::from_str("User").unwrap(),
-            cedar_policy::EntityId::from_str(id).unwrap(),
-        ),
-        attrs,
-        std::collections::HashSet::new(),
-    )
-    .unwrap()
-}
diff --git a/tests/support/mod.rs b/tests/support/mod.rs
deleted file mode 100644
index c46f39e5..00000000
--- a/tests/support/mod.rs
+++ /dev/null
@@ -1,2 +0,0 @@
-pub mod common;
-pub mod factory_bot;